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Formal Development of a Clock Synchronization Circuit 

Paul S. Miner 


This talk presents the latest stage in a formal development of a fault-tolerant clock synchronization 
circuit. The development spans from a high level specification of the required properties to a circuit realizing 
the core function of the system. 

An abstract description of an algorithm has been verified to satisfy the high-level properties using the 
mechanical verification system Ehdm [2]. This abstract description is recast as a behavioral specification 
input to the Digital Design Derivation system (DDD) developed at Indiana University [1], DDD provides 
a formal design algebra for developing correct digital hardware. Using DDD as the principle design envi- 
ronment, a core circuit implementing the clock synchronization algorithm was developed [3]. The design 
process consisted of standard DDD transformations augmented with an ad hoc refinement justified using the 
Prototype Verification System (PVS) from SRI International [4]. 

Subsequent to the above development, Wilfredo Torres- Pomales discovered an area-efficient realization 
of the same function [5]. Establishing correctness of this optimization requires reasoning in arithmetic, so a 
general verification is outside the domain of both DDD transformations and model-checking techniques. 

DDD represents digital hardware by systems of mutually recursive stream equations. A collection of PVS 
theories was developed to aid in reasoning about DDD-style streams. These theories include a combinator 
for defining streams that satisfy stream equations, and a means for proving stream equivalence by exhibiting 
a stream bisimulation. 

DDD was used to isolate the sub-system involved in Torres-Pom ales’ optimization. The equivalence 
between the original design and the optimized verified was verified in PVS by exhibiting a suitable bisimu- 
lation. The verification depended upon type constraints on the input streams and made extensive use of the 
PVS type system. The dependent types in PVS provided a useful mechanism for defining an appropriate 
bisimulation. 
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Design Hierarchy — New Informal Description of Algorithm 
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Torres-Pomales’ Optimization Signal Assumptions Justifying Optimization 




nth (S : Stream , n : nat) : alpha «• hd(iterate(tl,n)(S)) 
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co_induct : THEOREM (EXISTS (R: Bisimulation): R(X, Y)) 



Stream Equations for Optimized Sub-Circuit PVS Definitions for Circuit Verification 
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C{R)-. TYPE = 

{II Invariant(NOT R => EQ(tl(I) ,INC(I)))} 



Correctness Theorem Proof of Optimize.correct by co-induction 
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